docs/cli/gateway.md
The Gateway is OpenClaw's WebSocket server (channels, nodes, sessions, hooks). All subcommands below live under openclaw gateway ....
openclaw gateway
openclaw gateway run # equivalent, explicit form
--claude-cli-logs is a deprecated alias for --cli-backend-logs.
For --bind custom, set gateway.customBindHost to an IPv4 address; the Gateway falls back to 0.0.0.0 if that address is unavailable. IPv6-only bring-your-own-host setups need an IPv4 sidecar or proxy in front of the Gateway.
openclaw gateway restart
openclaw gateway restart --safe
openclaw gateway restart --safe --skip-deferral
openclaw gateway restart --force
openclaw gateway restart --wait 30s
--safe asks the running Gateway to preflight active work and schedule one coalesced restart after that work drains. The wait is bounded by gateway.reload.deferralTimeoutMs (default: 5 minutes / 300000); when the budget expires the restart is forced. Set deferralTimeoutMs: 0 to wait indefinitely (with periodic still-pending warnings) instead of forcing. --safe cannot combine with --force or --wait.
--skip-deferral bypasses the active-work deferral gate on a safe restart, so the Gateway restarts immediately even with reported blockers. It requires --safe — use it when a deferral is stuck on a runaway task.
--wait <duration> overrides the drain budget for a plain (non-safe) restart. Accepts bare milliseconds or unit suffixes ms, s, m, h, d (e.g. 30s, 5m, 1h30m); --wait 0 waits indefinitely. Not compatible with --force or --safe.
--force skips the active-work drain and restarts immediately. Plain restart (no flags) keeps the existing service-manager restart behavior.
OPENCLAW_GATEWAY_STARTUP_TRACE=1 logs phase timings during startup, including per-phase eventLoopMax delay and plugin lookup-table timings (installed-index, manifest registry, startup planning, owner-map work).OPENCLAW_GATEWAY_RESTART_TRACE=1 logs restart-scoped restart trace: lines: signal handling, active-work drain, shutdown phases, next start, ready timing, and memory metrics.OPENCLAW_DIAGNOSTICS=timeline with OPENCLAW_DIAGNOSTICS_TIMELINE_PATH=<path> writes a best-effort JSONL startup diagnostics timeline for external QA harnesses (equivalent to config diagnostics.flags: ["timeline"]; the path is still env-only). Add OPENCLAW_DIAGNOSTICS_EVENT_LOOP=1 to include event-loop samples.pnpm build then pnpm test:startup:gateway -- --runs 5 --warmup 1 benchmarks Gateway startup against the built CLI entry: first process output, /healthz, /readyz, startup trace timings, event-loop delay, and plugin lookup-table timing.pnpm build then pnpm test:restart:gateway -- --case skipChannels --runs 1 --restarts 5 benchmarks in-process restart on macOS or Linux (not supported on Windows; restart requires SIGUSR1). Uses SIGUSR1, enables both traces in the child process, and records next /healthz, next /readyz, downtime, ready timing, CPU, RSS, and restart trace metrics./healthz is liveness; /readyz is usable readiness. Treat trace lines and benchmark output as owner-attribution signal, not a complete performance conclusion from one span or sample.All query commands use WebSocket RPC.
<Tabs> <Tab title="Output modes"> - Default: human-readable (colored in TTY). - `--json`: machine-readable JSON (no styling/spinner). - `--no-color` (or `NO_COLOR=1`): disable ANSI while keeping human layout. </Tab> <Tab title="Shared options"> - `--url <url>`: Gateway WebSocket URL. - `--token <token>`: Gateway token. - `--password <password>`: Gateway password. - `--timeout <ms>`: timeout/budget (default varies per command; see each command below). - `--expect-final`: wait for a "final" response (agent calls). </Tab> </Tabs> <Note> When you set `--url`, the CLI does not fall back to config or environment credentials. Pass `--token` or `--password` explicitly. Missing explicit credentials is an error. </Note>gateway healthopenclaw gateway health --url ws://127.0.0.1:18789
openclaw gateway health --port 18789
/healthz is a liveness probe: it returns as soon as the server can answer HTTP. /readyz is stricter and stays red while startup plugin sidecars, channels, or configured hooks are still settling. Local or authenticated detailed /readyz responses include an eventLoop diagnostic block (delay, utilization, CPU-core ratio, degraded flag).
gateway usage-costFetch usage-cost summaries from session logs.
openclaw gateway usage-cost
openclaw gateway usage-cost --days 7
openclaw gateway usage-cost --agent work --json
openclaw gateway usage-cost --all-agents
openclaw gateway usage-cost --json
gateway stabilityFetch the recent diagnostic stability recorder from a running Gateway.
openclaw gateway stability
openclaw gateway stability --type payload.large
openclaw gateway stability --bundle latest
openclaw gateway stability --bundle latest --export
openclaw gateway stability --json
gateway diagnostics exportWrite a local diagnostics zip designed for bug reports. For the privacy model and bundle contents, see Diagnostics Export.
openclaw gateway diagnostics export
openclaw gateway diagnostics export --output openclaw-diagnostics.zip
openclaw gateway diagnostics export --json
The export bundles: manifest.json (file inventory), summary.md (Markdown summary), diagnostics.json (top-level config/logs/discovery/stability/status/health summary), config/sanitized.json, status/gateway-status.json, health/gateway-health.json, logs/openclaw-sanitized.jsonl, and stability/latest.json when a bundle exists.
It is designed to be shared. It keeps operational details useful for debugging — safe log fields, subsystem names, status codes, durations, configured modes, ports, plugin/provider ids, non-secret feature settings, and redacted operational log messages — and omits or redacts chat text, webhook bodies, tool outputs, credentials, cookies, account/message identifiers, prompt/instruction text, hostnames, and secret values. When a log message looks like user/chat/tool payload text (e.g. "user said", "chat text", "tool output", "webhook body"), the export keeps only the fact that a message was omitted plus its byte count.
gateway statusShows the Gateway service (launchd/systemd/schtasks) plus an optional connectivity/auth probe.
openclaw gateway status
openclaw gateway status --json
openclaw gateway status --require-rpc
gateway probeThe "debug everything" command. It always probes:
Passing --url adds that explicit target ahead of both. Human output labels targets URL (explicit), Remote (configured) / Remote (configured, inactive), and Local loopback.
openclaw gateway probe
openclaw gateway probe --json
openclaw gateway probe --port 18789
- `ok`: at least one target is reachable.
- `degraded`: at least one target accepted a connection but did not complete full detail RPC diagnostics.
- `capability`: best capability seen across reachable targets (`read_only`, `write_capable`, `admin_capable`, `pairing_pending`, `connected_no_operator_scope`, or `unknown`).
- `primaryTargetId`: best target to treat as the active winner, in order: explicit URL, SSH tunnel, configured remote, local loopback.
- `warnings[]`: best-effort warning records with `code`, `message`, optional `targetIds`.
- `network`: local loopback/tailnet URL hints derived from current config and host networking.
- `discovery.timeoutMs` / `discovery.count`: the actual discovery budget/result count used for this probe pass.
Per target (`targets[].connect`): `ok` (reachability + degraded classification), `rpcOk` (full detail RPC success), `scopeLimited` (detail RPC failed on missing operator scope).
Per target (`targets[].auth`): `role` and `scopes` reported in `hello-ok` when available, plus the surfaced `capability` classification.
The macOS app "Remote over SSH" mode uses a local port-forward so a loopback-only remote gateway becomes reachable at ws://127.0.0.1:<port>.
CLI equivalent:
openclaw gateway probe --ssh user@gateway-host
Config defaults (optional): gateway.remote.sshTarget, gateway.remote.sshIdentity.
gateway call <method>Low-level RPC helper.
openclaw gateway call status
openclaw gateway call logs.tail --params '{"limit": 200}'
openclaw gateway install
openclaw gateway start
openclaw gateway stop
openclaw gateway restart
openclaw gateway uninstall
Use --wrapper when the managed service must start through another executable, for example a secrets manager shim or a run-as helper. The wrapper receives the normal Gateway args and is responsible for eventually exec'ing openclaw or Node with those args.
cat > ~/.local/bin/openclaw-doppler <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
exec doppler run --project my-project --config production -- openclaw "$@"
EOF
chmod +x ~/.local/bin/openclaw-doppler
openclaw gateway install --wrapper ~/.local/bin/openclaw-doppler --force
openclaw gateway restart
You can also set the wrapper through the environment. gateway install validates that the path is an executable file, writes the wrapper into the service ProgramArguments, and persists OPENCLAW_WRAPPER in the service environment for later forced reinstalls, updates, and doctor repairs.
OPENCLAW_WRAPPER="$HOME/.local/bin/openclaw-doppler" openclaw gateway install --force
openclaw doctor
To remove a persisted wrapper, clear OPENCLAW_WRAPPER while reinstalling:
OPENCLAW_WRAPPER= openclaw gateway install --force
openclaw gateway restart
gateway discover scans for Gateway beacons (_openclaw-gw._tcp).
local.openclaw.internal.) and set up split DNS + a DNS server; see Bonjour.Only gateways with Bonjour discovery enabled (default) advertise the beacon.
TXT hints on every beacon: role (gateway role hint), transport (transport hint, e.g. gateway), gatewayPort (WebSocket port, usually 18789), tailnetDns (MagicDNS hostname, when available), gatewayTls / gatewayTlsSha256 (TLS enabled + cert fingerprint). sshPort and cliPath are published only in full discovery mode (discovery.mdns.mode: "full"; default is "minimal", which omits them — clients then default SSH targets to port 22).
gateway discoveropenclaw gateway discover
Examples:
openclaw gateway discover --timeout 4000
openclaw gateway discover --json | jq '.beacons[].wsUrl'